May 10th, 2011



The past week was consumed by a possible security breach at my password vault vendor, LastPass. In the interest of recognizing when people do well, it's worth calling this out.

(Context: LastPass is an online vault. You choose a single, preferably very-high-strength password, and use that to encrypt a file containing all your other passwords. They store the file online, make it available to pretty much every browser you use, and integrate nicely with most of them. I use it extensively, and like it a lot.)

First of all, they show a healthy and appropriate level of paranoia. None of this is because there was a demonstrated security breach; instead, they simply keep an eye on their internal network traffic, and detected a modest blip that they couldn't account for, which *could* have been large enough to be someone stealing a modest number of password files. In an age where companies routinely try to hush up big breaches, I have a lot of respect for one that goes into full alert on the basis of mere credible evidence of a small one.

On the downside, they clearly didn't have a policy in place yet for such an incident, and a few hours of serious tail-chasing ensued. But they got their act together quickly, and started iterating solutions. Their first solution was, frankly, too draconian -- forcing everyone to change their master passwords. (The issue wasn't that master passwords had been stolen -- LastPass themselves don't have copies -- but that a determined attacker could apply brute-force dictionary attacks to break password files with weak master passwords.)

By the next day, they'd come up with a reasonably appropriate and nuanced solution: if you try to log in from an unknown IP address, they route a confirmation through your registered email address, and require you to either (a) change your master password, or (b) state that you think yours is strong enough. That seems just about right. I don't need to change mine -- while a very small number of people might be able to look at my password and understand what it's a reference to, it's fairly long and not breakable with any technique I know of. (It's not even a literal passphrase, but has been idiosyncratically mutated.) But I actually appreciate them forcing me to pause and make that decision consciously.

So props to LastPass: they seem to have handled their first really serious crisis decently well. They're still on my list of recommended tools -- I commend them as a good option for managing your passwords, if you want such a system. (And I ask that, if you use them, please sign up for the "premium" package. The extra features are slight, but the price is low -- just $12/year -- and it's well worth supporting the company...)